MFA Fatigue: The Hidden Danger and How to Combat It

by | Apr/28/2023

Attackers notoriously figure out users’ passwords; hence, organizations and individuals must make logging in more secure.

Logins often go like this:
1. User enters a password
2. The user receives a text message with a code to confirm it is them

That second step is called MFA (Multi-Factor Authentication).

Entering numbers is frustrating, so some organizations use push notifications:
1. User enters a password
2. The user has an authenticator app asking, “Is that you trying to log in?” The user can click “Yes,” and they’re in. If it is an attacker, the user can ignore the alert or click “no.”

Attackers are overwhelmingly bypassing push notification protection. Here’s how: Once the bad guys obtain the user’s password, they make frequent attempts to log in, sending many alerts to the targeted user’s phone. The user is annoyed by the interruptions. Sometimes, users click “approve” to stop the annoyance. They don’t realize they are allowing an attacker into the system. This phenomenon is known as MFA fatigue.

If you use push notifications, ensure that your push notifications require the user to enter at least two digits displayed on the device where they entered the password rather than simply pressing the approve button in their phone app. This verification helps prove the user has the device. The process becomes:
1. The user enters a password on the device they’re logging into.
2. The user has an authenticator app asking them, “What code is your device displaying?” The user enters the code, and they’re logged in.

Microsoft calls the process “Number Matching.” Duo calls it “Verified Duo Push.” Okta calls this a number challenge.

If you use push notifications, enable some form of number matching verification ASAP to combat MFA Fatigue.

Please tell your friends to be sure they know this hidden danger and can tighten security in their organizations.